2016-01-26 17:08:42 +00:00
|
|
|
.. _api-audit-support:
|
|
|
|
|
|
Documentation update
This patch contains several changes to the documentation which
were brought about by, initially, removing the webapi/v1 page and
replacing it with a link to the /api-ref/ page.
As I did that, I saw that our front page (index.html) needed to
be updated as well, and decided that the front page needed to
actually be completely rerwitten -- while preserving all the links.
Some of the TOC links from the front page were malformed because
subpages included more than one H1 heading, so I had to make small
changes in the api-audit-support and code-contribution-guide and
dev-quickstart pages, in order for the front page to render properly.
As I corrected the headings on dev-quickstart, I realized the page
was not comprehensively organized, and so decided to reorganize the
sections and make it easier to navigate.
Here is a bullet-point summary of this change:
* Major changes to content and organization of index page
* Moved the version history from webapi/v1 to dev/webapi-version-history
* Added API conceptual guide at dev/webapi
* Replaced webapi/v1 with a link to dev/webapi, in case anyone
bookmarked it
* Removed doc references to webapi/v1
* Merged the pages dev/contributing and dev/code-contribution-guide
* Removed duplicate H1 headers in deploy/api-audit-support
* Reorganized and renamed section headers in dev/dev-quickstart,
and made some substantive corrections and changes as well
* Updated wording at the top of the index and deploy/user-guide pages.
Change-Id: Ib418e1d4fdfab4f0e15560270f39922e33df3f12
2016-08-17 15:20:50 -07:00
|
|
|
=================
|
2016-01-26 17:08:42 +00:00
|
|
|
API Audit Logging
|
|
|
|
|
=================
|
|
|
|
|
|
|
|
|
|
Audit middleware supports delivery of CADF audit events via Oslo messaging
|
|
|
|
|
notifier capability. Based on `notification_driver` configuration, audit events
|
|
|
|
|
can be routed to messaging infrastructure (notification_driver = messagingv2)
|
2016-08-03 06:37:45 +00:00
|
|
|
or can be routed to a log file (`[oslo_messaging_notifications]/driver = log`).
|
2016-01-26 17:08:42 +00:00
|
|
|
|
|
|
|
|
Audit middleware creates two events per REST API interaction. First event has
|
|
|
|
|
information extracted from request data and the second one has request outcome
|
|
|
|
|
(response).
|
|
|
|
|
|
|
|
|
|
Enabling API Audit Logging
|
|
|
|
|
==========================
|
|
|
|
|
|
|
|
|
|
Audit middleware is available as part of `keystonemiddleware` (>= 1.6) library.
|
2019-10-03 16:04:57 +02:00
|
|
|
For information regarding how audit middleware functions refer
|
|
|
|
|
:keystonemiddleware-doc:`here <audit.html>`.
|
2016-01-26 17:08:42 +00:00
|
|
|
|
|
|
|
|
Auditing can be enabled for the Bare Metal service by making the following changes
|
|
|
|
|
to ``/etc/ironic/ironic.conf``.
|
|
|
|
|
|
|
|
|
|
#. To enable audit logging of API requests::
|
|
|
|
|
|
|
|
|
|
[audit]
|
|
|
|
|
...
|
|
|
|
|
enabled=true
|
|
|
|
|
|
|
|
|
|
#. To customize auditing API requests, the audit middleware requires the audit_map_file setting
|
|
|
|
|
to be defined. Update the value of configuration setting 'audit_map_file' to set its
|
|
|
|
|
location. Audit map file configuration options for the Bare Metal service are included
|
|
|
|
|
in the etc/ironic/ironic_api_audit_map.conf.sample file. To understand CADF format
|
|
|
|
|
specified in ironic_api_audit_map.conf file refer to `CADF Format.
|
|
|
|
|
<http://www.dmtf.org/sites/default/files/standards/documents/DSP2038_1.0.0.pdf>`_::
|
|
|
|
|
|
|
|
|
|
[audit]
|
|
|
|
|
...
|
2016-08-03 06:37:45 +00:00
|
|
|
audit_map_file=/etc/ironic/api_audit_map.conf
|
2016-01-26 17:08:42 +00:00
|
|
|
|
|
|
|
|
#. Comma separated list of Ironic REST API HTTP methods to be ignored during audit.
|
2017-08-25 09:22:39 -04:00
|
|
|
It is used only when API audit is enabled. For example::
|
2016-01-26 17:08:42 +00:00
|
|
|
|
|
|
|
|
[audit]
|
|
|
|
|
...
|
|
|
|
|
ignore_req_list=GET,POST
|
|
|
|
|
|
|
|
|
|
Sample Audit Event
|
|
|
|
|
==================
|
|
|
|
|
|
|
|
|
|
Following is the sample of audit event for ironic node list request.
|
|
|
|
|
|
|
|
|
|
.. code-block:: json
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
"event_type":"audit.http.request",
|
|
|
|
|
"timestamp":"2016-06-15 06:04:30.904397",
|
|
|
|
|
"payload":{
|
|
|
|
|
"typeURI":"http://schemas.dmtf.org/cloud/audit/1.0/event",
|
|
|
|
|
"eventTime":"2016-06-15T06:04:30.903071+0000",
|
|
|
|
|
"target":{
|
|
|
|
|
"id":"ironic",
|
|
|
|
|
"typeURI":"unknown",
|
|
|
|
|
"addresses":[
|
|
|
|
|
{
|
|
|
|
|
"url":"http://{ironic_admin_host}:6385",
|
|
|
|
|
"name":"admin"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"url":"http://{ironic_internal_host}:6385",
|
|
|
|
|
"name":"private"
|
|
|
|
|
},
|
|
|
|
|
{
|
|
|
|
|
"url":"http://{ironic_public_host}:6385",
|
|
|
|
|
"name":"public"
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
"name":"ironic"
|
|
|
|
|
},
|
|
|
|
|
"observer":{
|
|
|
|
|
"id":"target"
|
|
|
|
|
},
|
|
|
|
|
"tags":[
|
|
|
|
|
"correlation_id?value=685f1abb-620e-5d5d-b74a-b4135fb32373"
|
|
|
|
|
],
|
|
|
|
|
"eventType":"activity",
|
|
|
|
|
"initiator":{
|
|
|
|
|
"typeURI":"service/security/account/user",
|
|
|
|
|
"name":"admin",
|
|
|
|
|
"credential":{
|
|
|
|
|
"token":"***",
|
|
|
|
|
"identity_status":"Confirmed"
|
|
|
|
|
},
|
|
|
|
|
"host":{
|
|
|
|
|
"agent":"python-ironicclient",
|
|
|
|
|
"address":"10.1.200.129"
|
|
|
|
|
},
|
|
|
|
|
"project_id":"d8f52dd7d9e1475dbbf3ba47a4a83313",
|
|
|
|
|
"id":"8c1a948bad3948929aa5d5b50627a174"
|
|
|
|
|
},
|
|
|
|
|
"action":"read",
|
|
|
|
|
"outcome":"pending",
|
|
|
|
|
"id":"061b7aa7-5879-5225-a331-c002cf23cb6c",
|
|
|
|
|
"requestPath":"/v1/nodes/?associated=True"
|
|
|
|
|
},
|
|
|
|
|
"priority":"INFO",
|
|
|
|
|
"publisher_id":"ironic-api",
|
|
|
|
|
"message_id":"2f61ebaa-2d3e-4023-afba-f9fca6f21fc2"
|
|
|
|
|
}
|